Paul Squires on security and related topics

Main menu

Tag Archives: policy

The edge is where things are most interesting. You get the best view, but there’s a risk of falling off.

In reality though, there are few hard edges; most things are sloped to some degree but there’s a cut-off point in our perception where we interpret something as a cliff rather than something we’d roll cheese down to chase. Most scenarios are covered (or can at least be partially understood) by normal distribution curves (or bell curves, if you will). Another way to think of this, and possibly more common in the IT world, is with the Pareto principle. Even without knowing the details, pretty much everyone seems to know of the underlying 80:20 rule and the associated distributions (land ownership, wealth, effort/results) along with a basic understanding of marginal utility (an extra hundred pounds is more valuable to someone who has one hundred pounds than to someone who has a one thousand).

These are incredibly useful for designing any system – whether it be security, economic or political – knowing that we can achieve 80% of the results with 20% of the effort and cost. So long as we do that, it may well be good enough. Useful as this is, this can be an insidious process – the problem comes at the back-end. Once we’ve achieved 80% of the results we’ll need to put in four times as much effort to achieve the rest (of course, the rule also applies here – the last one percent of anything is the most difficult).

Two areas that often overlap are great examples of where this can, and does, go wrong – security and legislation. Let’s think of a simple example where a company wants to block employees from accessing Facebook during working hours. A block can be implemented in many technical ways, requiring almost zero effort in most cases; but then add an exception for someone who actually needs to work with it and the effort increases. Even worse, we realise that Facebook isn’t a problem any more since everyone has moved to Diaspora, or people are using Twitter. Perhaps a more stringent policy on social media is needed, so let’s start by defining what that is. Regardless, people can use anonymous proxies, SSH tunnels or even just their phones to access the services anyway. We quickly escalate from the point where a simple policy and accompanying solution becomes something almost impossible to maintain, costly and ultimately ineffective.

We see these issues all the time in our legislation (here’s a good example from the USA), tax codes and security implementations. From a pure security point of view we see why things are so reactive and result in the “whack-a-mole” security implementations we have. This is where the edge is important.

Security decisions taken for the majority will need exceptions – even something relatively simple such as configuring an AV solution will have many options; one size doesn’t fit all and many security professionals choose not to run AV at all. To follow our analogy, some people want to lean over and look down, others want to be held back. Appetite for risk, availability of resources and many other factors will affect our security decisions, but building flexibility in is vital.

Stepping too close isn’t big, clever or usually recommended; but there are a number of situations where it’s required and our security processes and solutions should bend in those cases where we can.